T1218.012 IBM QRadar · QRadar

Detect Verclsid in IBM QRadar

Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe (Extension CLSID Verification Host) is responsible for verifying each shell extension before it is used by Windows Explorer or the Windows Shell. Adversaries can register a malicious COM object under a CLSID and then invoke verclsid.exe with that CLSID to trigger execution. Since verclsid.exe is signed by Microsoft and performs legitimate COM verification activities, it can bypass application control solutions. Hancitor malware is a known user of this technique.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.012 Verclsid
Canonical reference
https://attack.mitre.org/techniques/T1218/012/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourceid,
  LOGSOURCENAME(logsourceid) AS log_source,
  username,
  sourceip,
  "CommandLine" AS command_line,
  "ParentCommandLine" AS parent_command_line,
  "Image" AS process_image,
  "ParentImage" AS parent_image,
  CASE WHEN LOWER("CommandLine") MATCHES REGEX '\{[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\}' THEN 1 ELSE 0 END AS has_clsid,
  CASE WHEN LOWER("ParentImage") MATCHES REGEX '(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe$' THEN 1 ELSE 0 END AS suspicious_parent,
  CASE WHEN LOWER("CommandLine") MATCHES REGEX '(/s|/c)' THEN 1 ELSE 0 END AS forced_exec,
  CASE WHEN LOWER("ParentImage") LIKE '%verclsid.exe' AND LOWER("Image") MATCHES REGEX '(cmd|powershell|wscript|cscript)\.exe$' THEN 1 ELSE 0 END AS suspicious_child
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 396)
  AND (LOWER("Image") LIKE '%\\verclsid.exe' OR LOWER("ParentImage") LIKE '%\\verclsid.exe')
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    (CASE WHEN LOWER("CommandLine") MATCHES REGEX '\{[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\}' THEN 1 ELSE 0 END +
     CASE WHEN LOWER("ParentImage") MATCHES REGEX '(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe$' THEN 1 ELSE 0 END +
     CASE WHEN LOWER("CommandLine") MATCHES REGEX '(/s|/c)' THEN 1 ELSE 0 END) > 1
    OR LOWER("ParentImage") LIKE '%verclsid.exe'
  )
ORDER BY devicetime DESC
high severity medium confidence

Detects verclsid.exe abuse for CLSID-based COM proxy execution. Queries Sysmon process creation events (EventID 1) ingested into QRadar, scoring on presence of CLSID arguments, suspicious parent processes, forced execution flags, and suspicious child processes spawned by verclsid.exe.

Data Sources

Microsoft Windows Sysmon (via QRadar DSM)Microsoft Windows Security Event Log

Required Tables

events

False Positives & Tuning

  • Windows Explorer performing routine shell extension validation for newly installed software with COM components
  • Enterprise software packaging tools (e.g., MSI installers, ConfigMgr) that register and verify COM objects as part of managed deployments
  • Security products conducting COM object integrity checks that spawn verclsid.exe via automation scripts
Download portable Sigma rule (.yml)

Other platforms for T1218.012

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Verclsid Execution with CLSID Argument

    Expected signal: Sysmon Event ID 1: verclsid.exe with /S /C and CLSID in command line. Security Event ID 4688. The process will attempt to load the COM object registered for this CLSID.

  2. Test 2Verclsid Launched from cmd.exe

    Expected signal: Sysmon Event ID 1: cmd.exe then verclsid.exe with ParentImage=cmd.exe. HasCLSID, ForcedExec, and SuspiciousParent all fire.

  3. Test 3Malicious COM CLSID Registration for Verclsid Abuse

    Expected signal: Sysmon Event ID 13 (Registry Value Set): HKCU\Software\Classes\CLSID path with Temp DLL path as data. The COM registration hunting query captures this as a malicious InprocServer32 pointing to a temp directory.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1218.012 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1559.001Component Object ModelT1546.015Component Object Model HijackingT1112Modify RegistryT1218.009Regsvcs/Regasm

Same Tactic: Defense Evasion

Popular Detections